Web browsers have taken a new step towards reducing the need for passwords and the security issues. Google Chrome, Mozilla Firefox, and Microsoft Edge have agreed to support a new Web Authentication API that reduces the need of password for logins and eventually protect against phishing. Internet standards organizations W3C and FIDO Alliance have launched a new specification that let browsers and websites to replace passwords with biometric encryption methods.
With the specification called WebAuthn, Web developers will be able to integrate fingerprint readers and face scanners into their websites. This method uses public-key cryptography and ensures that in each site whether the user signs up with his own key pairs, solving the common issue of password reuse. When the API is available, you could visit a site on a PC, hit the login button, and then receive a code on a smartphone asking you to register.
The new feature is expected to be available in the upcoming versions of Firefox, Chrome, and Edge which will be released in the next few months. It has reached the ‘Candidate Recommendation (CR) stage’, meaning it is being recommended to the standards bodies for final approval.
Enterprises and online service providers can now protect their users from the risks associated with passwords – including phishing, man-in-the-middle attacks and the abuse of stolen credentials and many more. They will be able to implement standards-based strong authentication that works through the browser or via an external authenticator.
After many decades of severe data breaches and password credential theft, now it’s the time for service providers to end their dependency on vulnerable passwords and one-time- pass-codes.These developments will change the way in which people access the Web.
Working of WebAuthn
These are the different steps in which WebAuthn can be used.
Registration on the phone:
1. User signs into an existing account using a password or registers a brand new account
2. The phone will then ask “Do you want to register this device with this website?”
3. If the user agrees, the phone will then prompt for an authorization gesture (fingerprint, facial scan, PIN, etc.)
Authentication on a computer:
1. User signs to a website using a browser and sees a “Sign in with your phone” option
2. If the user selects this option, the browser will display this message “Please complete this action using your phone”
3. User’s phone will display a prompt/notification
4. A prompt for the saved authorization gesture (fingerprint, facial scan, PIN, etc.) will then appear
5. User signs in with the selected gesture
What Can We Expect in Future?
This can switch users from using passwords to their personal devices instead. This will make phishing attacks more difficult. It’s the high time to retire the old password system. With WebAuthn support rolling out, the future certainly looks bright for a world without passwords.